Early bird prices are coming to an end soon... ⏰ Grab your tickets before January 17

This article was published on May 28, 2018

Be cautious, free VPNs are selling your data to 3rd parties


Be cautious, free VPNs are selling your data to 3rd parties

It isn’t unusual to find companies using deceptive practices when trying to market and grow their brands. One niche where this is very rife is in the VPN industry. It was recently revealed that contrary to claims on their websites, 26 of the 117 most popular VPN services log user data despite touting contrary claims in their marketing. That revelation will seem tame compared to findings on how free VPNs operate: many openly and brazenly share/sell user data.

Now that new GDPR laws are enforceable, more attention is being focused on how organizations use user data for marketing purposes. When it comes to data abuse, however, VPN service providers — particularly free VPN services — are the biggest culprits.

VPNs are generally regarded as a more secure alternative to a regular ISP for anonymizing your Internet traffic and unblocking blocked websites. Professionals use VPNs to protect their identity online but many VPN users wrongly assume that with a VPN no one has access to their data. Unfortunately, this is not the case — your VPN provider, in place of your ISP, could very well have access to your data.

Depending on which service you use, using a VPN could be worse than ordinarily using just your ISP. Just ask Ryan Lin, who was arrested late last year due to internet activities he carried out using an apparently secure VPN service. While the VPN service he used boldly touted the “fact” that they do not keep logs, they had logs of Lin’s online activity to deliver to the FBI when it was requested of them.

In fact, in most cases the fact that your data could be sold or shared is made clear on their privacy policy page but most users do not bother to read the fine print. Notable culprits include Hola (over 152 million people users) and Betternet (over 38 million users).

Most top free VPNs are part of a data selling/sharing program

If you use any form of free VPN service, not only is it highly unlikely that you’re being protected, but there’s a huge possibility that your data is being harvested and sold to the highest bidder.

To the unsuspecting user, providers of free VPN services are chivalrous knights in shining armor who understand the dangers censorship pose to the internet and are trying to help (as indeed many of them will claim on their website). However, to the providers of these free VPN services, they’ve struck a profitable business model based on selling user data.

Just ask these popular free VPN services:

1. Hola

Hola is synonymous with “unblock Netflix for free,” as attested to by the 152 million people who use their free VPN, but very few are aware that they’ve been caught turning the computer of users of their free VPN service into exit nodes and that they actually have a paid business arm to which they sell the bandwidth of their free VPN users.

In 2015, a group of researchers discovered several issues in Hola: besides allowing their users to be tracked across the internet, a bug was discovered that could be exploited to remotely run applications on computers of Hola users.

Worse, Hola was selling the bandwidth of users of their free service to people willing to pay through their Luminati business arm. In other words, while you are trying to use their free VPN to evade censorship and stay anonymous, a user of their paid service with criminal tendencies could use your IP to visit illegal sites and have you become responsible for it.

Hola will later fix some of these bugs and update their privacy policy to better reflect some of their practices, but the researchers maintain that some of the issues still exist.

2. Betternet

Betternet is one of the more popular free VPN services for mobile devices. They came out of obscurity and now have 38 million users. Their business model is slowly evolving, too — they launched a VPN router and now have paid plans for interested users.

What very few know, however, is that Betternet is one of the worst offenders when it comes to tracking and logging (as well as allowing their advertisers to track and log) user data.

According to a research paper by the CSIRO, an Australian federal government agency, the Betternet Android app has a whopping 14 tracking libraries — the highest of any free VPN service they were aware of.

In other words, people using Betternet to avoid being tracked by their ISP are being tracked left and right by even more unknown entities.

The full list by TheBestVPN features many more popular free VPN services that you’re probably aware of — and it’s not looking good. It seems every popular free VPN is guilty in some way.

That said, the problem of free VPNs selling or sharing data, injecting cookies, hijacking traffic, or engaging in other nefarious activities is not new. And it isn’t going to stop anytime soon!

Why free VPNs have to sell your data

If you’re not being sold a product, you’re most likely the product.

Most free VPNs will share or sell your data, or subject you to some sort of questionable practices, due to the following reasons:

1. Server costs

Your traffic will be routed through their servers, and they have to pay for servers. As a VPN network grows, the need will arise for more servers. Depending on the user base of the free VPN, server costs can easily run into the tens of thousands of dollars.

In the case of bigger VPNs, some who have a user base of hundreds of millions, server costs can run into millions.

2. To make money

When there is no product, it can be difficult to make money. Simply displaying advertisement won’t cut it — especially considering that ads are increasingly paying less.

With access to valuable user data, free VPN providers can offer more targeted ads and charge advertisers more, or they can even go ahead and sell/share the data and get paid for it.

3. Greed

When you have  access to data of hundreds of millions of people like Hola or other VPNs, it can be difficult overcoming the temptation to try to “monetize” this data.

With the user base many of these top free VPNs have, exploiting user data makes it easy to make millions of dollars every month. In Hola’s case, there’s not much expenses since it’s a P2P service and they do not have to own servers, but it’s difficult to resist the allure of monetizing the data of over 100 million people somehow.

Better alternatives to free VPNs

Using free VPNs is practically committing online privacy suicide. There are better alternatives:

1. Find an open source VPN

If you really must use a free VPN, the safest option is to go for an open source VPN. An open source VPN will have no financial motivation or incentive, and their code is out there in the open for all to see and critique. Some notable options include OpenVPN, Freelan, and SoftEther.

2. Use the Free VPN by the University of Tsukuba, Japan

Another alternative is VPN Gate, a free academic experiment run by the Graduate School of the University of Tsukuba, Japan.

That said, while you don’t have to worry about your data being shared or your privacy being compromised by VPN Gate, there could be limitations when you use their service: for example, they make it clear that they log your data to prevent abuse of their service.

3. Set up your own free VPN

You can take things to the next level and set up your own free VPN in the cloud. Depending on what app you use, you might not get full anonymity (your activities could be traced to the cloud service providers hosting these free VPNs), but you can be assured that you’re the only one with access to, and full control of, your data.

You can set up your own free VPN using Algo or Streisand. This will require some tech savvy, but it will be worth the privacy and peace of mind! This tutorial by Lifehacker is an handy guide to help you get started!

Conclusion

The battle for online privacy is a tough one. However, the easy way out is usually not the best. While it’s easy to install and use most free VPN services, there’s almost always a compromise: your data. If you’re willing to put in some technical effort, however, using some of the above options, you can still get free VPN access without having to worry about your privacy being compromised.

Update: In the original version of this article Hotspot Shield  was included as an example of a questionable VPN, citing a petition filed to the FTC against Hotspot Shield by the Center for Democracy & Technology (CDT). However, Hotspot shield had already answered these allegations and said the CDT’s filing unfounded. This has been rectified in the article.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with